Ancillary Administrative Services Agreement with Lifetime Benefit Solutions, Inc.

Docusign Envelope ID: 649C416D-7329-4C4E-85C0-BEC8256F98DDDocusign Envelope ID: 4FB14C28-8EA8-4257-858B-C9C21B2C4BB5

ANCILLARY ADMINISTRATIVE SERVICES AGREEMENT

This Administrative Services Agreement (“ASA”) is between Lifetime Benefit Solutions, Inc. (“LBS”), a New York Corporation with a principal place of business at 333 Butternut Drive, Syracuse, NY 13214 and Village of Red Hook (“Client”), with a principal place of business at:

7467 South Broadway, red hook, NY 12571 concerning the Client’s welfare benefit and/or fringe benefit plan(s) as identified in this ASA (the “Plan”). This ASA is effective as of May 1, 2026 (the “Effective Date”). The ASA, together with the Spending Accounts Terms and Conditions, constitute the entire agreement between Client and LBS (“Agreement”).

In consideration of the mutual covenants contained herein, the Client and LBS agree as follows:

1. Effective Date; Term. LBS shall provide the Client the administrative services specified in the Agreement, beginning on the Effective Date, for the welfare benefit and/or fringe benefit plans(s) as identified in this ASA.

The Agreement will remain in effect for a period of one year from the Effective Date and shall renew automatically for consecutive twelve (12) month terms on the anniversary of the Effective Date unless earlier terminated in accordance with Section VII of the Spending Accounts Terms and Conditions.

2. Notices. Any notice given to a party under the terms of the Agreement shall be in writing and shall be delivered electronically (with return receipt requested) to the email address for that party shown below, or to any new email address for that party designated by written notice.

If to LBS: LBSContracts@lifetimebenefitsolutions.com

If to Client: , or the mayor@redhookvillage.gov current email address listed in LBS records.

If the Client contact information listed herein changes, the Client is required to provide written notification of such change to LBS within thirty (30) days following the effective date of such change.

3. Client Plans. This Agreement applies to the following Plan(s):

   • X Traditional Health Reimbursement Account (HRA)

4. Services provided by LBS. LBS will provide claims processing services, ongoing administration, open enrollment, web enrollment, enrollment services, new hires, terminations, and changes throughout the year for the Client Plan(s) referenced in (3) above. In addition, if elected by Client, LBS will provide the following:

• A. Debit Card. A debit card will be provided for some or all of the Plan(s), as applicable: X Yes

Rev. 06/2025

Docusign Envelope ID: 649C416D-7329-4C4E-85C0-BEC8256F98DDDocusign Envelope ID: 4FB14C28-8EA8-4257-858B-C9C21B2C4BB5

• B. Compliance Services. Client wishes to engage LBS to provide the following Compliance Services: X Yes

  • (i) Plan Document Services. Plan document preparation services for one or more of the following Plans:

    • X Health Reimbursement Account (HRA)

5. Fees. The Consolidated Appropriations Act, 2021 (“CAA”) requires certain service providers to provide a compensation disclosure notice pursuant to ERISA §408(b)(2) identifying all compensation they may potentially receive in connection with covered services they provide to an ERISA-governed group health plan. To the extent LBS is required to provide this disclosure notice to the Client (as plan sponsor), the terms of this ASA serves as such disclosure notice.

ADMINISTRATION FEE

Monthly Administration Fee. The monthly administration fee is in effect for the first 12 months of this Agreement. Any subsequent monthly administration fees will be mutually agreed upon between Client and LBS as identified on the Fee Renewal, which is incorporated herein by reference. HRA $ 3.50 PEPM** Monthly Minimum $ 99.00

**PEPM means “per enrollee” per month. This is the monthly fee for each enrollee enrolled in the plan. For enrollees enrolled in two or more plans, the PEPM fee applies separately for each enrollee enrolled in each plan.

For this purpose, “enrollee” means any active employee or former employee, enrolled in the plan. The administration fee shall be based on the number of such enrollees as of the applicable billing determination date described in this paragraph . Billing for terminated enrollees and non-re-enrolling enrollees will continue through the enrollee’s runout date as defined in the applicable Plan Document.

COMPLIANCE SERVICES

Plan Document Preparation Services: The fees below include preparing the initial Plan document governing the operation of the Plan, Benefit Summary/Benefit Booklet or Summary Plan Description (Documents) containing the benefits offered to eligible employees under the Plan; initial Summary of Benefits and Coverage (if requested and needed); ongoing Plan amendments/Summary of Material Modifications (SMMs), as may be required as a result of plan design changes or regulatory provisions, upon request of Client.

Health Reimbursement Account (HRA) Fee Waived The fees indicated above do not cover future Plan restatements after initial preparation of the Plan Document. The fee for a Plan restatement is (a) $300 for each HRA. These fees apply separately for each Plan Document, unless otherwise stated.

2

Docusign Envelope ID: 649C416D-7329-4C4E-85C0-BEC8256F98DDDocusign Envelope ID: 4FB14C28-8EA8-4257-858B-C9C21B2C4BB5

LBS and the Client hereby assent to this Agreement as of the Effective Date is confirmed by their signatures below. By executing this Agreement, Client hereby agrees to the Spending Accounts Terms and Conditions as set out at the following website: - - - - https://www.lifetimebenefitsolutions.com/documents/d/lbs/Spending Accounts terms and conditions Such terms and conditions shall remain in effect for the duration of this Agreement, unless notice of a change in such Spending Accounts Terms and Conditions are provided to Client at least ninety (90) days prior to the effective date of such change.

Lifetime Benefit Solutions, Inc.:

By: (Sg tua Print Name: Patricia Mooney Title: President Date: 2/2/2026

Village of Red Hook

By:

Print Name: Karen Smythe Title: Mayor Date:

3

Docusign Envelope ID: 4FB14C28-8EA8-4257-858B-C9C21B2C4BB5

BUSINESS ASSOCIATE AGREEMENT

This Business Associate Agreement (“BAA”), effective upon execution, is between with its principal place of Village of Red Hook business at 7467 South Broadway, red hook, NY 12571 (“Organization”), and Lifetime Benefit Solutions, Inc., with a principal place of business at 333 Butternut Drive, Syracuse, NY 13214 (“Business Associate”).

Organization and Business Associate are parties to one or more agreements pursuant to which Business Associate has agreed to provide certain services on Organization’s behalf (“Agreement”).

This BAA supersedes any prior BAA or similar terms incorporated into one or more Agreements between the Organization and the Business Associate.

Organization and Business Associate execute this BAA to comply with the requirements of the implementing regulations of the Health Insurance Portability and Accountability Act of 1996 (“HIPAA”), as modified by the Health Information Technology for Economic and Clinical Health Act (the “HITECH Act”), otherwise known as the “HIPAA Rules.” Specifically, the HIPAA Rules shall mean the Privacy, Security, Breach Notification, and Enforcement Rules at 45 Code of Federal Regulations (“CFR”) Part 160 and Part 164. The HIPAA Privacy Rule is the Standards for Privacy of Individually Identifiable Health Information at 45 CFR, Part 160 and Part 164, subparts A and E. The HIPAA Security Rule is the HIPAA Security Standards (45 CFR Parts 160 and 164, Subpart C). The HIPAA Breach Notification Rule is the Notification in the Case of Breach of Unsecured Protected Health Information, as set forth at 45 CFR Part 164 Subpart D. Business Associate recognizes and agrees that it is obligated by law to meet the applicable provisions of the HIPAA Rules.

1. Privacy of Protected Health Information.

• (a) Permitted Uses and Disclosures. Business Associate is permitted to use and disclose Protected Health Information that it creates or receives on Organization’s behalf or receives from Organization (or another business associate of Organization) and to request Protected Health Information on Organization’s behalf (collectively, “Organization’s Protected Health Information”) only as follows:

  • (i) Functions and Activities on Organization’s Behalf. To perform functions, activities, services, and operations on behalf of Organization, consistent with the HIPAA Rules, as specified in the Agreement.

  • (ii) Business Associate’s Operations. For Business Associate’s proper management and administration or to carry out Business Associate’s legal

Lifetime Benefit Solutions, Inc.

1

Docusign Envelope ID: 4FB14C28-8EA8-4257-858B-C9C21B2C4BB5

responsibilities, provided that, with respect to disclosure of Organization’s Protected Health Information, either:

A) The disclosure is Required by Law; or

• B) The Business Associate obtains reasonable assurances from the person or entity to whom the Protected Health Information is disclosed that it will be held confidentially and used or further disclosed only as Required by Law or for the purposes for which it was disclosed to the person or entity; the person or entity will use appropriate safeguards to prevent unauthorized access to, use, or disclosure of the Protected Health Information, and the person or entity in possession of the Protected Health Information immediately notifies the Business Associate of any instance of which it is aware in which the confidentiality of the Protected Health Information has been breached; or

C) The Protected Health Information is de-identified.

• (b) Minimum Necessary. Business Associate will, in its performance of the functions, activities, services, and operations specified in Section 1(a) above, make reasonable efforts to use, to disclose, and to request of the Organization only the minimum amount of Organization’s Protected Health Information reasonably necessary to accomplish the intended purpose of the use, disclosure or request. In addition, Business Associate also agrees to follow appropriate minimum necessary policies in the performance of its obligations under this BAA. This minimum necessary requirement does not apply to:

  • (i) Disclosure to or request by a health care provider for Treatment;

  • (ii) Use for or disclosure to an individual who is the subject of Organization’s Protected Health Information, or that individual’s personal representative;

  • (iii) Use or disclosure made pursuant to an authorization compliant with 45 CFR § 164.508 that is signed by an individual who is the subject of Organization’s Protected Health Information to be used or disclosed, or by that individual’s personal representative;

  • (iv) Disclosure to DHHS in accordance with Section 5(a) of this BAA;

  • (v) Use or disclosure that is Required by Law; or

  • (vi) Any other use or disclosure that is excepted from the minimum necessary limitation as specified in 45 CFR § 164.502(b)(2).

• (c) Prohibition on Unauthorized Use or Disclosure. Business Associate will neither use nor disclose Organization’s Protected Health Information, except as

Lifetime Benefit Solutions, Inc.

2

Docusign Envelope ID: 4FB14C28-8EA8-4257-858B-C9C21B2C4BB5

permitted or required by this BAA or in writing by Organization or as Required by Law. This BAA does not authorize Business Associate to use or disclose

Organization’s Protected Health Information in a manner that will violate the 45 CFR Part 164, Subpart E “Privacy of Individually Identifiable Health Information” (“Privacy Rule”) if done by Organization, except as set forth in Section 1(a)(ii) of this BAA.

• (d) Sale of PHI. Business Associate shall not directly or indirectly receive remuneration in exchange for PHI except where permitted by the Agreement and consistent with applicable law.

• (e) Marketing. Business Associate shall not directly or indirectly receive payment for any use or disclosure of PHI for marketing purposes except where permitted by the Agreement and consistent with applicable law.

(f) Information Safeguards.

• (i) Privacy of Organization’s Protected Health Information. Business Associate will implement appropriate administrative, technical, and physical safeguards to protect the privacy of Organization’s Protected Health Information. The safeguards must reasonably protect Organization’s Protected Health Information from any intentional or unintentional use or disclosure in violation of the Privacy Rule, 45 CFR Part 164, Subpart E and this BAA, and limit incidental uses or disclosures made pursuant to a use or disclosure otherwise permitted by this BAA.

• (ii) Security of Organization’s Electronic Protected Health Information. Business Associate will implement administrative, technical, and physical safeguards that reasonably and appropriately protect the confidentiality, integrity, and availability of Electronic Protected Health Information that Business Associate creates, receives, maintains, or transmits on Organization’s behalf as required by the Security Rule, 45 CFR Part 164, Subpart C. Business Associate shall implement policies and procedures and meet the Security Rule documentation requirements.

• (g) Subcontractors and Agents. Business Associate will require any of its subcontractors and agents, to which Business Associate is permitted by this BAA or in writing by Organization to disclose Organization’s Protected Health Information, to provide reasonable assurances that such subcontractor or agent will comply with the same privacy and security safeguard obligations with respect to Organization’s Protected Health Information that are applicable to Business Associate under this BAA.

2. Compliance with Transaction Standards. If Business Associate conducts in whole or part electronic Transactions on behalf of Organization for which DHHS has established Standards, Business Associate will comply, and will require any subcontractor or agent it

Lifetime Benefit Solutions, Inc.

3

Docusign Envelope ID: 4FB14C28-8EA8-4257-858B-C9C21B2C4BB5

involves with the conduct of such Transactions to comply, with each applicable requirement of the Transaction Rule, 45 CFR Part 162. Business Associate will not enter

into any Trading Partner Agreement in connection with the conduct of Standard Transactions on behalf of Organization that:

• (a) Changes the definition, data condition, or use of a data element or segment in a Standard Transaction;

• (b) Adds any data element or segment to the maximum defined data set;

• (c) Uses any code or data element that is marked “not used” in the Standard Transaction’s implementation specification or is not in the Standard Transaction’s implementation specification; or

• (d) Changes the meaning or intent of the Standard Transaction’s implementation specification.

3. Individual Rights.

• (a) Access. Business Associate will, within twenty (20) calendar days following Organization’s request, make available to Organization or, at Organization’s direction, to an individual (or the individual’s personal representative) for inspection and obtaining copies Organization’s Protected Health Information in a designated record set about the individual that is in Business Associate’s custody or control, consistent with the requirements of 45 CFR § 164.524.

• (b) Amendment. Business Associate will, upon receipt of written notice from Organization, promptly amend or permit Organization access to amend any portion of Organization’s Protected Health Information in a designated record set, so that Organization may meet its amendment obligations under 45 CFR § 164.526.

• (c) Disclosure Accounting. So that Organization may meet its disclosure accounting obligations under 45 CFR § 164.528:

  • i) Disclosures Subject to Accounting. Business Associate will record the information specified in Section 3(c)(iii) below (“Disclosure Information”) for each disclosure of Organization’s Protected Health Information, not excepted from disclosure accounting as specified in Section 3(c)(ii) below, that Business Associate makes to Organization or to a third party.

  • ii) Disclosures Not Subject to Accounting. Business Associate will not be obligated to record Disclosure Information or otherwise account for the following disclosures of Organization’s Protected Health Information:

    • A) That occurred before April 14, 2003;

Lifetime Benefit Solutions, Inc.

4

Docusign Envelope ID: 4FB14C28-8EA8-4257-858B-C9C21B2C4BB5

B) For Treatment, Payment or Health Care Operations activities;

• C) To an individual who is the subject of Organization’s Protected Health Information disclosed, or to that individual’s personal representative;

• D) Pursuant to an authorization compliant with 45 CFR § 164.508 that is signed by an individual who is the subject of Organization’s Protected Health Information disclosed, or by that individual’s personal representative;

• E) For notification of and to persons involved in the care or payment related to the health care of an individual who is the subject of Organization’s Protected Health Information disclosed and for disaster relief;

• F) To law enforcement officials or correctional institutions in accordance with 45 CFR § 164.512(k)(5);

• G) For national security or intelligence purposes in accordance with 45 CFR § 164.512(k)(2);

• H) In a Limited Data Set;

• I) Incident to a use or disclosure that Business Associate is otherwise permitted to make by this BAA; and

• J) Otherwise excepted from disclosure accounting as specified in 45 CFR § 164.528.

• iii) Disclosure Information. With respect to any disclosure by Business Associate of Organization’s Protected Health Information that is not excepted from disclosure accounting by Section 3(c)(ii) above, Business Associate will record the following Disclosure Information as applicable to the type of accountable disclosure made:

  • A) Disclosure Information Generally. Except for repetitive disclosures of Organization’s Protected Health Information as specified in Section 3(c)(iii)(B) below and for disclosures for large Research studies as specified in Section 3(c)(iii)(C) below, the Business Associate must record Disclosure Information as required by the HIPAA Privacy Rule for each accountable disclosure, including but not limited to: (i) the disclosure date, (ii) the name and (if known) address of the entity to which Business Associate made the disclosure, (iii) a brief description of Organization’s Protected Health Information disclosed, and (iv) a brief statement of the purpose of the disclosure.

Lifetime Benefit Solutions, Inc.

5

Docusign Envelope ID: 4FB14C28-8EA8-4257-858B-C9C21B2C4BB5

B) Disclosure Information for Repetitive Disclosures. For repetitive disclosures of Organization’s Protected Health Information that Business Associate makes for a single purpose to the same person or entity (including Organization), the Disclosure Information that Business Associate must record is either the Disclosure Information specified in Section 3(c)(iii)(A) above for each accountable disclosure, or (i) the Disclosure Information specified in Section 3(c)(iii)(A) above for the first of the repetitive accountable disclosures, (ii) the frequency, periodicity, or number of the repetitive accountable disclosures, and (iii) the date of the last of the repetitive accountable disclosures.

• C) Disclosure Information for Large Research Activities. For disclosures of Organization’s Protected Health Information that Business Associate makes for particular Research involving 50 or more individuals and for which an Institutional Review Board or Privacy Board has waived authorization during the period covered by an individual’s disclosure accounting request, the Disclosure Information that Business Associate must record is (i) the name of the Research protocol or activity, (ii) a plain language description of the Research protocol or activity, including its purpose and criteria for selecting particular records, (iii) a brief description of the type of Organization’s Protected Health Information disclosed for the Research, (iv) the dates or periods during which Business Associate made or may have made these disclosures, including the date of the last disclosure that Business Associate made during the period covered by an individual’s disclosure accounting request, (v) the name, address, and telephone number of the Research sponsor and of the researcher to whom Business Associate made these disclosures, and (vi) a statement that Organization’s Protected Health Information relating to an individual requesting the disclosure accounting may or may not have been disclosed for a particular Research protocol or activity.

• iv) Availability of Disclosure Information. Unless otherwise provided by applicable law, Business Associate will maintain the Disclosure Information for at least six (6) years following the date of the accountable disclosure to which the Disclosure Information relates.

Business Associate will make the Disclosure Information available to Organization within thirty (30) days following Organization’s request for such Disclosure Information to comply with an individual’s request for disclosure accounting.

• (d) Restriction Agreements and Confidential Communications. Business Associate will comply with any agreement that Organization makes that either (i) restricts use or disclosure of Organization’s Protected Health Information pursuant to 45 CFR § 164.522(a), or (ii) requires confidential communication

Lifetime Benefit Solutions, Inc.

6

Docusign Envelope ID: 4FB14C28-8EA8-4257-858B-C9C21B2C4BB5

about Organization’s Protected Health Information pursuant to 45 CFR § 164.522(b), provided that Organization notifies Business Associate in writing of

the restriction or confidential communication obligations that Business Associate must follow. Organization will promptly notify Business Associate in writing of the termination or alteration of any such restriction agreement or confidential communication requirement.

4. Privacy Obligation Breach and Security Incidents.

(a) Reporting.

• i) Privacy Breach. Business Associate will promptly advise the Organization of any use or disclosure of Organization’s Protected Health Information not permitted by this BAA or in writing by Organization. Business Associate will provide initial notification to the Organization, following discovery and without unreasonable delay, but in no event later than three (3) business days following discovery, any “Breach” of “Unsecured Protected Health Information” as these terms are defined by the Breach Notification Regulation. This obligation to notify shall include any unauthorized acquisition, access, use, or disclosure, even where Business Associate has determined that such unauthorized acquisition, access, use, or disclosure does not compromise the security or privacy of such information, unless such acquisition, access, use or disclosure is excluded from the definition of breach in 45 CFR 164.402(2). Business Associate shall cooperate with Organization in investigating the Breach and in meeting the Organization’s obligations under the Breach Notification Regulation and any other security breach notification laws.

• ii) In addition, following the initial notification referenced above, the Business Associate shall report any actual or reasonably suspected Breach to the Organization. Such report shall include the identification (if known) of each individual whose Unsecured Protected Health Information has been, or is reasonably believed by Business Associate to have been, accessed, acquired, or disclosed during such Breach. Business Associate will make the report to Organization’s Privacy Officer not more than ten (10) business days after Business Associate learns of such non-permitted use or disclosure, or promptly thereafter as information becomes available. Business Associate’s report will at least:

  • A) Provide a brief description of what happened, including the date of the breach and the date of discovery of the breach, if known;

  • B) Provide a description of the types of Unsecured Protected Health Information that were involved in the breach (such as whether full name, social security number, date of birth, home address, account number, diagnosis, disability code, or other types of information were involved);

Lifetime Benefit Solutions, Inc.

7

Docusign Envelope ID: 4FB14C28-8EA8-4257-858B-C9C21B2C4BB5

• C) Identify any steps individuals should take to protect themselves from potential harm resulting from the breach; and

• D) Include a brief description of what the Business Associate is doing to investigate the breach, to mitigate harm to individuals, and to protect against any further breaches.

• iii) Security Incidents. Business Associate will report to Organization any attempted or successful (A) unauthorized access, use, disclosure, modification, or destruction of Organization’s Electronic Protected Health Information or (B) interference with Business Associate’s system operations in Business Associate’s information systems, of which Business Associate becomes aware. If any such security incident resulted in a disclosure of Organization’s Protected Health Information not permitted by this BAA, Business Associate must provide the notice and report as required by Section 4(a)(i) and (ii) above.

Notwithstanding the foregoing, the parties hereby agree that this BAA is sufficient notification of the occurrence of multiple, unsuccessful security incidents including but not limited to attempted penetration of Business Associate’s firewalls by computer viruses, attempted computer system hacks and other unsuccessful attacks on Business Associate’s security and data infrastructure. Business Associate shall provide specific details on any such unsuccessful security incident upon Organization’s specific request.

(b) Termination of Agreement.

• i) Right to Terminate for Breach. Either Party may terminate this BAA if it determined that the Other Party has breached a material provision of this BAA and, upon written notice to the Breaching Party of the breach, the Breaching Party fails to cure the breach within a reasonable period of time not to exceed thirty (30) days without the express, written consent of the Non-Breaching Party. The Non-Breaching Party may exercise this right to terminate this BAA by providing the Breaching Party with written notice of termination, stating the failure to cure the breach of the BAA that provides the basis for the termination. Any such termination will be effective immediately or at such other date specified in the notice of termination. If for any reason the Non-Breaching Party determines that the Breaching Party has breached the terms of this BAA and such breach has not been cured, but the Non-Breaching Party determines that termination of the Agreement is not feasible, Organization may report such breach to the U.S. Department of Health and Human Services.

ii) Obligations on Termination.

Lifetime Benefit Solutions, Inc.

8

Docusign Envelope ID: 4FB14C28-8EA8-4257-858B-C9C21B2C4BB5

Upon termination of this BAA for any reason, Business Associate shall return, or at Organization’s request, destroy all Protected Health Information that Business Associate still maintains in any form, and shall retain no copies of such Protected Health Information, except that Business Associate may maintain one copy for archival purposes to verify that it provided the services under the contract. If return or destruction is not feasible, Business Associate shall retain the Protected Health Information, subject to all of the protections of this BAA, and shall make no further use of such Protected Health Information.

• (c) Indemnity. Either Party (“Indemnifying Party”) shall indemnify, hold harmless and defend Other Party and its employees, officers and directors (each an “Indemnified Party”) for any third party claim against agents allegedly resulting from any unauthorized use or disclosure of Protected Health Information by the Indemnifying Party’s acts or omissions in violation of applicable law or this BAA (each a "PHI Breach Claim"). The selection of counsel, the conduct of the defense of any lawsuit and any settlement shall be within the sole control of the Indemnifying Party. The Indemnifying Party shall, at its sole cost and expense: (i) defend the Indemnified Parties from and against such PHI Breach Claim, and (ii) indemnify and hold the Indemnified Parties harmless from any damages or expenses (including reasonable attorney's fees) actually and finally awarded against an Indemnified Party for a PHI Breach Claim, or any settlement of a PHI Breach Claim made in lieu of further litigation.

5. Organization’s Obligations.

• (a) Organization shall notify Business Associate of Organization’s Notice of Privacy Practices, including any limitation(s) in accordance with 45 CFR 164.520, to the extent the Notice of Privacy Practices and/or such limitation(s) may affect Business Associate’s use or disclosure of Protected Health Information.

• (b) Organization shall notify Business Associate of any changes in, or revocation of, the permission by an Individual to use or disclose Protected Health Information, to the extent that such changes may affect Business Associate’s use or disclosure of Protected Health Information.

• (c) Organization shall notify Business Associate of any amendment or restriction to use or disclosure of Protected Health Information that Organization has agreed to in accordance with 45 CFR 164.522, to the extent that such restriction may affect Business Associate’s use or disclosure of the Protected Health Information.

• (d) Organization shall ensure that any Secured Protected Health Information, as defined under the HITECH Act and guidance promulgated thereunder, transmitted by Organization to Business Associate shall be secured by a

Lifetime Benefit Solutions, Inc.

9

Docusign Envelope ID: 4FB14C28-8EA8-4257-858B-C9C21B2C4BB5

technology standard that is developed or endorsed by a standards developing organization that is accredited by the American National Standards Institute and is consistent with guidance issued by the Secretary specifying the technologies and methodologies that render Protected Health Information unusable, unreadable, or indecipherable to unauthorized individuals.

• (e) Organization shall not request Business Associate to use or disclose Protected Health Information in any manner that would not be permissible under the Privacy Rule, the Security Rule, or the HIPAA Final Rule, except as permitted pursuant to the provisions of Section 1 of this BAA.

6. General Provisions.

• (a) Inspection of Internal Practices, Books, and Records. Business Associate will make its internal practices, books, and records relating to its use and disclosure of Organization’s Protected Health Information available to DHHS to determine Organization’s compliance with the Privacy Rule, 45 C.F.R. Part 164, Subpart E, and the Security Rule.

• (b) Definitions. The terms “Covered Entity,” “Electronic Protected Health Information,” “Protected Health Information,” “Standard,” “Trading Partner Agreement,” and “Transaction” have the meanings set out in 45 CFR § 160.103. The term “Standard Transaction” has the meaning set out in 45 CFR § 162.103. The term “Required by Law” has the meaning set out in 45 CFR § 164.103. The terms “Health Care Operations,” “Payment,” “Research,” and “Treatment” have the meanings set out in 45 CFR § 164.501. The term “Limited Data Set” has the meaning set out in 45 CFR § 164.514(e). The term “use” means, with respect to Protected Health Information, utilization, employment, examination, analysis or application within Business Associate. The terms “disclose” and “disclosure” mean, with respect to Protected Health Information, release, transfer, providing access to or divulging to a person or entity not within Business Associate. For purposes of this BAA, Organization’s Protected Health Information encompasses Organization’s Electronic Protected Health Information. Any other capitalized terms not identified here shall have the meaning as set forth in the HIPAA Rules.

• (c) Amendment to Agreement. Upon the compliance date of any final regulation or amendment to final regulation promulgated by DHHS that affects Business Associate’s use or disclosure of Organization’s Protected Health Information or Standard Transactions, the Agreement and this BAA will automatically amend such that the obligations imposed on Business Associate remain in compliance with the final regulation or amendment to final regulation.

Any other amendment or waiver of this BAA shall require a separate writing executed by the parties that expressly modifies or waives a specific provision(s) of this BAA.

Lifetime Benefit Solutions, Inc.

10

Docusign Envelope ID: 4FB14C28-8EA8-4257-858B-C9C21B2C4BB5

7. Conflicts. The terms and conditions of this BAA will override and control any conflicting term or condition of Agreement. All non-conflicting terms and conditions of Agreement remain in full force and effect.

8. No Third Party Beneficiaries. Organization and Business Associate agree that there are no intended third party beneficiaries under, or other parties to, this BAA.

9. Governing Law; Jurisdiction; Venue. This BAA will be governed by and construed in accordance with the laws of the State of New York. Any action brought under this BAA will be brought in a court of competent jurisdiction venued in the County of Onondaga, State of New York.

Balance of page intentionally left blank Signature page to follow

Lifetime Benefit Solutions, Inc.

11

Docusign Envelope ID: 4FB14C28-8EA8-4257-858B-C9C21B2C4BB5

q LifetimeBenefit Solutions

IN WITNESS WHEREOF, Organization and Business Associate execute this BAA in multiple originals to be effective on the last date written below.

Lifetime Benefit Solutions, Inc.: By: Fatue Wlesney )

Name: Patricia Mooney

Title: President

Date: 2/2/2026

Village of Red Hook

By: Name: Karen Smythe

Title: Mayor

Date:

Lifetime Benefit Solutions, Inc.

12

Docusign Envelope ID: 649C416D-7329-4C4E-85C0-BEC8256F98DDDocusign Envelope ID: 4FB14C28-8EA8-4257-858B-C9C21B2C4BB5

Lifetime Benefits Solutions Authorization for Electronic Funds Transfer

This form gives Lifetime Benefit Solutions authorization to electronically withdraw funds per information provided.

Section 1 - Adminstrative Fee Payments

Important: Only one form of payment can be used for ALL administrative fees. If electronic payment is not selected all administrative fees must be paid via check or wire.

LBS Administration Company ID 9162865001

Bank Information Bank Name: Ce Account No: ABA/RTN No: Account Type: Checking or Savings a = = Bank Contact: Title: I E-mail Address: Telephone No: SSa Section 2 - Claim Reimbursement Payments You acknowledge that completion of this section gives Lifetime Benefit Solutions authorization to electronically withdraw funds from the account specified below for claim reimbursement payments made to your participants. In addition, any credits will be issued to this account. When claim reimbursement checks are mailed to participants, a summary report will also be emailed to a Plan Representative with both the participant check details and the Plan total. The Plan total represents the amount that must be available in your account for this check cycle. Lifetime Benefit Solutions will send this weekly report via email to:

Send report to (print name): _______________________________________________________________________________________________________________________________________

Email report to (print email address): ________________________________________________________________________________________________________________________

Please check if you want to use same banking information as Section 1 (Administration Fee Payments). If not the same, please complete Bank Information below:

LBS Reimbursement Company ID 9162865003 Bank Information Bank Name: Ce Account No: ABA/RTN No: Account Type: Checking or Savings es Bank Contact: Title: Ce = ee © E-mail Address: Telephone No: I ——

B-8952/20931-25LBS A11yCRG06302025

Docusign Envelope ID: 649C416D-7329-4C4E-85C0-BEC8256F98DDDocusign Envelope ID: 4FB14C28-8EA8-4257-858B-C9C21B2C4BB5

The Bancorp Bank Payment Solutions Group

AUTHORIZATION FOR ACH DEBITS / CREDITS

________________________________________________________ Depositor Name as Shown on Bank Records

________________________________________________________ Checking Account Number/ Transit Routing Number

(A voided check or spec sheet must be attached for this account)

TO: ____________________________________________________

________________________________________________________ (Bank Address: Street, Box #, City, State and Zip Code)

Depositor authorizes The Bancorp Bank to present automated debits and credits to and from the above listed account as required to perform their responsibilities related to processing Depositor’s benefit program. This authorization will remain in effect until revoked by Depositor in writing and until you actually receive such notice Depositor agrees that you shall be fully protected in honoring any such ACH transaction.

Depositor agrees that your treatment of each such ACH transaction and your rights in respect to it shall be the same as if it were a check signed by Depositor.

I authorize payments to be withdrawn daily or weekly as needed.

Dated this _____ day of _____, 20.

________________________________________________________ Signature of Depositor in Agreement with Bank Records

Please update your ACH filter (on the above reference account) to grant access to The Bancorp Bank. The Bancorp Bank identification number is: 1050006509 .